CN120602181A

CN120602181A - Confusion encryption method, apparatus, device, medium, and program product

Info

Publication number: CN120602181A
Application number: CN202510851390.1A
Authority: CN
Inventors: 杨再同
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2025-06-24
Filing date: 2025-06-24
Publication date: 2025-09-05

Abstract

The present application provides an obfuscation encryption method that can be applied to the field of cloud computing technology. The obfuscation encryption method includes: establishing a first encryption channel between the system page end and the national secret obfuscation encryption tool, transmitting data processed by a first encryption algorithm through the first encryption channel based on the Hypertext Transfer Protocol Security Protocol; using the national secret obfuscation encryption tool to receive the data and perform security verification to obtain the key string and national secret algorithm type corresponding to the first encrypted data; based on the key string and national secret algorithm type, in a secure isolation environment inside the national secret obfuscation encryption tool, decrypting the first encrypted data, and re-encrypting the decrypted data with the national secret algorithm to obtain re-encrypted data; and transmitting the re-encrypted data to the server through a second encryption channel, which uses the national secret algorithm and adopts a hardware cipher machine to perform encryption. The present application also provides an obfuscation encryption device, equipment, storage medium and program product.

Description

Confusion encryption method, apparatus, device, medium, and program product

Technical Field

The present application relates to the field of cloud computing, and more particularly, to a confusion encryption method, apparatus, device, medium, and program product.

Background

With the rapid development of internet technology, the functions of World Wide Web (Web) applications are increasingly abundant, and the data interaction volume is also rapidly increasing. However, this also brings serious information security problems. In Web applications, interaction and data transmission between the front end and the back end are key links of information flow, and the security of the interaction and the data transmission is directly related to privacy protection of users, business confidentiality of enterprises and network security.

Currently, in order to ensure the security of front-end and back-end data transmission in Web applications, encryption is first considered at the network layer. The hypertext transfer security protocol (HyperText Transfer Protocol Secure, HTTPS) is used as a widely used network layer encryption protocol, and encrypts the transmitted data through a secure socket layer/transport layer security protocol (SSL/TLS), so as to effectively prevent the data from being eavesdropped or tampered during the transmission process. HTTPS is widely used in many fields such as e-commerce, online payment, social networks, etc., and provides a relatively secure network environment for users.

However, from the perspective of information security, relying solely on encryption at the network layer is not sufficient to fully secure highly sensitive information. Network layer encryption mainly protects the security of data in the transmission process, but does not have the capability of the security of the data in the front-end and back-end processing processes. In practical applications, the front end often needs to encrypt sensitive data before sending the encrypted sensitive data to the back end, so as to prevent the sensitive data from being leaked before transmission. At this time, encryption is required at the application layer.

In terms of application layer encryption, common encryption methods include an international general encryption algorithm such as an asymmetric encryption algorithm (RSA) and an Advanced Encryption Standard (AES), and a national encryption algorithm (such as an elliptic curve public key cryptography algorithm (SM 2), a cryptographic hash algorithm (SM 3), and a block cryptography algorithm (SM 4)) which have been increasingly paid attention in recent years. RSA is an asymmetric encryption algorithm with high security, but with relatively slow encryption and decryption speeds, suitable for encrypting small amounts of data or key exchange. AES is a symmetric encryption algorithm, with fast encryption and decryption speeds, suitable for encrypting large amounts of data. However, there is a common problem in front-end applications, whether RSA or AES, in that the front-end needs to first obtain a key string for encryption, and once the key string is exposed at the front-end, it may be obtained by a malicious user, thereby disabling encryption.

In addition, the use of the encryption algorithm developed by the nation has important strategic significance. The encryption algorithm developed by the country can ensure the autonomous control of the encryption technology and avoid the risk of the limitation or the cracking of the encryption technology. The cryptographic algorithm is used as an encryption technology which is independently researched and developed in China, has higher safety and independent controllability, and is gradually applied to the key fields of government affairs, finance, energy sources and the like.

In view of the above, it is necessary to encapsulate a confusion encryption tool based on the cryptographic algorithm. The tool can encrypt sensitive data at the front end, and simultaneously adopts the confusion technology to protect the encrypted code, so as to prevent key strings and encryption logic from being easily acquired. And at the back end, the server end decrypts the encrypted data, so that double-layer encryption of the data is realized. The double-layer encryption mechanism can greatly improve the security of data transmission and effectively prevent data from being stolen or tampered in the transmission and processing processes.

Disclosure of Invention

In view of the foregoing, the present application provides a obfuscated encryption method, apparatus, device, medium, and program product.

According to a first aspect of the application, a confusion encryption method is provided, which comprises the steps of establishing a first encryption channel between a system page end and a state confusion encryption tool, transmitting data processed by a first encryption algorithm through the first encryption channel based on a hypertext transfer security protocol, receiving the data processed by the first encryption algorithm by using the state confusion encryption tool and performing security verification to obtain a key string and a state encryption algorithm type corresponding to the first encryption data, decrypting the first encryption data in a security isolation environment inside the state confusion encryption tool based on the key string and the state encryption algorithm type, performing state encryption algorithm re-encryption on the decrypted data to obtain re-encrypted data, and transmitting the re-encrypted data to a server through a second encryption channel, wherein the second encryption channel uses a state encryption algorithm and performs encryption by adopting a hardware cipher machine, and a key in the key string can be updated in a rotation mode.

According to the embodiment of the application, the encryption algorithm of the first encryption channel is dynamically selected by a user according to the requirement, and the key of the first encryption algorithm is dynamically generated by the system page end and is only used in the communication.

According to an embodiment of the application, a method for performing security verification comprises the steps of responding to receiving first encrypted data, extracting a user identifier from user basic information, wherein the first encrypted data is related to the user basic information, acquiring an organization unique identifier related to the user identifier from a remote dictionary service, inquiring a corresponding key string and a national encryption algorithm type from a key string database based on the organization unique identifier, and verifying that the key string and the national encryption algorithm type are matched with a preset security policy.

According to the embodiment of the application, the security isolation environment is a hardware security module or a trusted execution environment and is used for preventing the key string and the data from being leaked or tampered in the decryption and re-encryption processes.

According to the embodiment of the application, the type of the cryptographic algorithm comprises one or more of a cryptographic number 1 algorithm, an elliptic curve public key cryptographic algorithm, a cryptographic hash algorithm and a block cryptographic algorithm, and the re-encryption process adopts an encryption mode and a filling mode corresponding to the type of the cryptographic algorithm.

According to the embodiment of the application, the hardware cipher machine of the second encryption channel supports the acceleration operation of the cryptographic algorithm, and the data interaction is carried out between the hardware cipher machine and the cryptographic confusion encryption tool through a special interface.

According to the embodiment of the application, after the server receives the re-encrypted data, the server decrypts the re-encrypted data by using a corresponding cryptographic algorithm and key string through a hardware cipher machine, and verifies the integrity and source legitimacy of the decrypted data.

The method for updating the key comprises the steps of setting a key rotation strategy in a state secret confusion encryption tool, triggering key updating based on a time period or data transmission quantity, regenerating a new first encryption algorithm key by a system page end when a triggering condition is met, transmitting a key updating instruction to the state secret confusion encryption tool through a first encryption channel, and updating a corresponding key string in a local key string database by the state secret confusion encryption tool, and synchronously updating key information stored by a server end.

According to the embodiment of the application, the national encryption confusion tool comprises an anomaly detection module, wherein the anomaly detection module is used for monitoring the anomaly behavior in the data transmission process in real time, and when the anomaly behavior is detected, the national encryption confusion tool immediately interrupts the current communication and triggers an alarm mechanism, wherein the anomaly behavior comprises that the data transmission quantity is suddenly increased, the decryption failure frequency exceeds a threshold value and the illegal key attempt frequency exceeds the threshold value.

The second aspect of the application provides a confusion encryption device, which comprises a first transmission module, a security verification module and a re-encryption module, wherein the first transmission module is used for establishing a first encryption channel between a system page end and a state encryption confusion encryption tool, transmitting data processed by a first encryption algorithm through the first encryption channel based on a hypertext transmission security protocol, the security verification module is used for receiving the data processed by the first encryption algorithm through the state encryption confusion encryption tool and executing security verification to obtain a key string and a state encryption algorithm type corresponding to the first encryption data, the re-encryption module is used for decrypting the first encryption data in a security isolation environment inside the state encryption confusion encryption tool based on the key string and the state encryption algorithm type, re-encrypting the decrypted data through the state encryption algorithm to obtain re-encrypted data, and the second transmission module is used for transmitting the re-encrypted data to a server through a second encryption channel, and executing encryption through a hardware cipher machine by the second encryption channel.

A third aspect of the application provides an electronic device comprising one or more processors and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method.

A fourth aspect of the application also provides a computer readable storage medium having stored thereon a computer program or instructions which when executed by a processor performs the steps of the above method.

The fifth aspect of the application also provides a computer program product comprising a computer program or instructions which, when executed by a processor, carries out the steps of the method described above.

Drawings

The foregoing and other objects, features and advantages of the application will be apparent from the following description of embodiments of the application with reference to the accompanying drawings, in which:

FIG. 1 schematically illustrates an application scenario diagram of a obfuscated encryption method, apparatus, device, medium and program product according to an embodiment of the application;

FIG. 2 schematically illustrates a flow chart of a method of obfuscating encryption according to an embodiment of the application;

FIG. 3 schematically illustrates an architecture diagram of a obfuscated encryption method according to an embodiment of the application;

FIG. 4 schematically illustrates a flow chart of a method of performing security verification according to an embodiment of the application;

FIG. 5 schematically illustrates a flow chart of a method of updating a key according to an embodiment of the application;

FIG. 6 schematically shows a block diagram of a confusion encryption apparatus according to an embodiment of the present application, and

Fig. 7 schematically shows a block diagram of an electronic device adapted to implement a method of obfuscated encryption according to an embodiment of the application.

Detailed Description

Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the application. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the application. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present application.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the application, the related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the related data are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all comply with related laws and regulations and standards, necessary security measures are adopted, no prejudice to the public order is provided, and corresponding operation entries are provided for the user to select authorization or rejection.

In the scene of using personal information to make automatic decision, the method, the device and the system provided by the embodiment of the application provide corresponding operation inlets for users to choose to agree or reject the automatic decision result, and enter an expert decision flow if the users choose to reject. The expression "automated decision" here refers to an activity of automatically analyzing, assessing the behavioral habits, hobbies or economic, health, credit status of an individual, etc. by means of a computer program, and making a decision. The expression "expert decision" here refers to an activity of making a decision by a person who is specializing in a certain field of work, has specialized experience, knowledge and skills and reaches a certain level of expertise.

The embodiment of the application provides a confusion encryption method, which comprises the steps of establishing a first encryption channel between a system page end and a state encryption confusion encryption tool, transmitting data processed by a first encryption algorithm through the first encryption channel based on a hypertext transfer security protocol (HTTPS), receiving the data processed by the first encryption algorithm by using the state encryption confusion encryption tool and executing security verification to obtain a key string and a state encryption algorithm type corresponding to the first encryption data, decrypting the first encryption data in a security isolation environment inside the state encryption confusion encryption tool based on the key string and the state encryption algorithm type, re-encrypting the decrypted data by using a state encryption algorithm to obtain re-encrypted data, and transmitting the re-encrypted data to a server through a second encryption channel, wherein the second encryption channel uses the state encryption algorithm and adopts a hardware cipher machine to execute encryption. According to the confusion encryption method, the first encryption channel based on HTTPS is constructed, data transmission is primarily encrypted through the first encryption algorithm, then the data is decrypted through the national encryption confusion encryption tool and then re-encrypted through the national encryption algorithm, and the data is transmitted to the server through the second encryption channel of the hardware cipher machine for executing the national encryption, so that double-layer encryption protection is formed, confidentiality and integrity of the data in the transmission process are greatly improved, and eavesdropping and tampering risks are effectively resisted. Meanwhile, the encryption method of the embodiment of the application supports a plurality of encryption algorithms and can be flexibly selected according to different scenes and security requirements. And the setting of the safety isolation environment ensures that the encryption operation is not interfered by the outside, and ensures the data safety.

Fig. 1 schematically shows an application scenario diagram of a obfuscated encryption method according to an embodiment of the application.

As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 via the network 104 using the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.

The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the obfuscation encryption method provided by the embodiment of the present application may be generally executed by the server 105. Accordingly, the obfuscation encryption device provided by the embodiments of the present application may be generally disposed in the server 105. The confusion encryption method provided by the embodiment of the present application may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, the confusion encryption apparatus provided by the embodiment of the present application may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The following describes a confusion encryption method according to an embodiment of the present application in detail with reference to fig. 2 to 5 based on the scenario described in fig. 1.

Fig. 2 schematically shows a flow chart of a method of obfuscation encryption according to an embodiment of the application, and fig. 3 schematically shows an architecture diagram of a method of obfuscation encryption according to an embodiment of the application.

As shown in fig. 2 and 3, the confusion encryption method of the embodiment includes operations S210 to S240.

In operation S210, a first encryption channel is established between the system page side and the state secret confusion encryption tool, and data processed by the first encryption algorithm is transmitted through the first encryption channel based on the hypertext transfer security protocol.

In the embodiment of the application, a first encryption channel based on a hypertext transfer secure protocol (HTTPS) is constructed between a system page end and a state confusion encryption tool, and is a dynamic and high-security communication encryption scheme. The scheme allows a user to flexibly select an encryption algorithm (such as SM2, SM3, SM4 and other national encryption algorithms or general encryption algorithms) according to actual requirements, and a system page end dynamically generates a one-time key of a first encryption algorithm when in communication each time, and the one-time key is only used for a current session, so that the uniqueness and timeliness of the key are ensured. In the data transmission process, data to be transmitted is firstly encrypted through an encryption algorithm designated by a user and a dynamically generated key, and then transmitted to a state secret confusion encryption tool through an HTTPS channel. HTTPS provides transport layer encryption to ensure security of data in network transmission, while the cryptographic algorithm further strengthens data protection by application layer encryption, forming a dual protection mechanism. The dynamic key mechanism effectively avoids leakage risks caused by long-term key storage and multiplexing, historical communication contents cannot be decrypted even if an attacker intercepts encrypted data, and the dynamic algorithm selection increases the difficulty of cracking by the attacker, so that even if part of algorithms are cracked, other algorithms can still continuously ensure communication safety. In addition, the scheme also has high flexibility and compliance, and a user can select a proper encryption algorithm according to specific scenes, balance performance and safety requirements and simultaneously meet the password compliance requirements of domestic sensitive fields such as government affairs, finance and the like.

Referring back to fig. 2 and 3, in operation S220, the data processed by the first encryption algorithm is received and security verification is performed using the cryptographic key confusion encryption tool to obtain a key string corresponding to the first encryption data and a cryptographic algorithm type, wherein keys in the key string can be updated alternately.

In an embodiment of the application, the first encrypted data is generated by processing the first encryption algorithm based on a user operation, and therefore the first encrypted data is associated with the user information as a data carrier generated by the user operation.

Fig. 4 schematically shows a flow chart of a method of performing security verification according to an embodiment of the application.

As shown in FIG. 4, the method for performing security verification in this embodiment includes operations S410-S440.

In response to receiving the first encrypted data, a user identifier is extracted from the user base information, wherein the first encrypted data is associated with the user base information, in operation S410.

In the embodiment of the application, the user identifier is extracted from user Cookies (Cookies are small text files stored in a user browser by websites and used for recording information such as user identity, preference, behavior data and the like), and mainly comprises the steps that the front end reads the Cookies stored in the browser through JavaScript (such as documents Cookies), or the back end analyzes the Cookie field in an HTTP request header, extracts a predefined identifier key value pair (such as user_id or session_token), and further decodes or decrypts the encrypted or encoded identifier, verifies the integrity through hash signature and checks the validity period in combination with a timestamp to ensure the security. The technology can realize user identification, support temporary behavior tracking (such as device fingerprint device_id) of anonymous users and account association and authority control of logged-in users, and can optimize session management, quickly search session data and maintain a user login state.

In operation S420, an organization unique identifier associated with the user identifier is obtained from the remote dictionary service.

In the embodiment of the application, acquiring the organization unique identifier associated with the user identifier from the remote dictionary service is a key technical means for improving the system performance and the data access efficiency. The method comprises the steps of firstly storing association relation between a user and an organization through a remote dictionary service data structure (such as hash or character string type) with reasonable design, for example, constructing a key name (such as user_org: 12345) by taking a user identifier (such as user_id) as a part of the key, recording the organization identifier (such as org_id) and other related information in the value, secondly, sending a query command (such as HGET or GET) by a server through a remote dictionary service client to quickly locate and acquire target data, returning a null value and triggering data initialization logic if the data does not exist, and meanwhile, setting reasonable expiration time (TTL) for caching the data to avoid long-term occupation of a memory, for example, automatically disabling and re-querying database update after the time-out after the user logs in the organization information for 30 minutes. The mechanism has the remarkable effects that on one hand, the memory storage characteristic of the remote dictionary service shortens the query response time to microsecond level, the performance of the system under a high concurrency scene is remarkably improved, for example, compared with database query, the throughput of the remote dictionary service can be improved by more than 10 times, and on the other hand, the high-frequency query (such as a mechanism to which a user belongs) is transferred to the remote dictionary service, so that the database load can be greatly reduced, and the hardware cost is saved.

In operation S430, the corresponding key string and the type of cryptographic algorithm are queried from the key string database based on the organization unique identifier.

In the embodiment of the application, the key string and the national encryption algorithm type are queried from the key string database based on the unique identifier of the organization, so that the information security and the compliance can be ensured. Firstly, a structured database table is constructed, a mechanism identifier (such as org_id), a key string (encryption_key) and a cryptographic algorithm type (such as SM2, SM3 and SM 4) are used as key fields to be stored, so that data relevance is ensured, secondly, after the mechanism identifier is received by a server, a corresponding record is accurately searched through a database query statement (such as SELECT encryption _key, algorithm_type FROM_key_ database WHERE ORG _id= 'ORG_A001'), if no query is made, error information is returned or a key initialization flow is triggered, and finally, a query result (the key string and the algorithm type) is returned to an application layer for subsequent encryption, decryption or signature verification operation. On one hand, the mechanism realizes confidentiality, integrity and authenticity guarantee of data transmission and storage by distributing exclusive keys and algorithms for different institutions, meets compliance requirements on information security and password management especially in sensitive fields such as finance, government affairs and the like, on the other hand, supports flexible expansion, allows institutions to select the type of the national encryption algorithm according to own requirements, improves autonomous controllability of a system, and meanwhile, the national encryption algorithm (such as SM 4) is excellent in encryption speed and resource consumption, and effectively resists password attack.

In operation S440, the key string and the national encryption algorithm type are verified to be matched with a preset security policy.

In the embodiment of the application, firstly, a preset security policy needs to define the compliance requirement of a key string (such as the length is more than or equal to 32 bytes, hexadecimal or Base64 coding format is adopted, validity period is set) and the support range of a national secret algorithm type (such as SM2, SM3 and SM4 are only allowed) to form an executable rule Base, secondly, a verification process is realized through multidimensional verification, namely, firstly, the format verification is carried out, whether the key string accords with a predefined format or not is checked, analysis failure caused by illegal characters or coding errors is avoided, secondly, the algorithm is matched, the queried algorithm type is compared with a list allowed by the policy, only the compliance algorithm is ensured to be used, thirdly, validity period verification is carried out, whether the current time is in the validity period is checked, the abuse of the expired key is prevented if the validity period is related to the key, finally, if all conditions are met, the matching is judged, otherwise, the matching is marked as mismatching, and the alarm or the service is refused is triggered. On one hand, the mechanism obviously reduces the risk of password attack by forcing the use of a high-strength key and a compliance algorithm, for example, a 128-bit key of an SM4 algorithm can effectively resist violent cracking, on the other hand, the operation and maintenance flow is simplified, the manual auditing cost is reduced by a centralized management strategy, audit tracing is supported, a log can be recorded in the verification process, and the follow-up security event investigation is facilitated. For example, in financial transaction, the system can ensure that the user key and algorithm meet the bank security policy through verification, ensure the validity of transaction signature, and in government affair system, can prevent the disclosure of sensitive information caused by the non-compliance of algorithm in document transmission.

In the embodiment of the application, a national cryptographic algorithm (such as SM1, SM2, SM3 and SM 4) and a data confusion technology are fused, a key string is dynamically acquired according to rules such as user identification, time stamp and the like through a dynamic key string management mechanism, so that the security risk caused by a fixed key is avoided, meanwhile, a multi-algorithm type adaptation scheme is designed, the national cryptographic algorithm is flexibly selected to meet different scene requirements, a multi-dimensional security verification process is constructed, and integrity and legality verification is performed on received encrypted data. The combination of the cryptographic algorithm and the confusion technology greatly improves the anti-cracking capability of data in transmission and storage, is particularly suitable for the government and financial fields with high security requirements, effectively limits the influence range of key leakage by a dynamic key string mechanism, ensures the continuous security of a system, supports multiple algorithms, enhances the compatibility and expansibility of the system, adapts to diversified encryption requirements, prevents malicious data from invading by a comprehensive security verification process, and ensures the stability and reliability of the system.

Fig. 5 schematically shows a flow chart of a key updating method according to an embodiment of the application.

As shown in fig. 5, the key updating method of this embodiment includes operations S510 to S530.

In operation S510, a key rotation policy is set in the state secret confusion encryption tool, the key rotation policy triggering a key update based on a time period or a data transmission amount.

In the embodiment of the application, a key rotation strategy is set in the state secret confusion encryption tool, and the key rotation strategy is a safety mechanism for triggering dynamic updating of a key through a preset time period or a data transmission quantity threshold value, so as to reduce the exposure risk of a long-term key and improve the anti-attack capability of an encryption system. The triggering conditions include triggering based on a time period (such as automatically generating a new key every 24 hours or every hour), triggering based on data transmission quantity (such as updating the key after accumulating and transmitting 1GB or 500MB data), or adopting a hybrid strategy (such as double-condition triggering after transmitting 500MB every 24 hours) and combining a national encryption algorithm (such as generating a random key by SM4 and realizing automatic management of the key by SM2 security distribution keys). The key rotation strategy obviously reduces the influence range after key leakage by updating the key periodically, even if the old key is cracked, an attacker can only decrypt data in a limited time period and cannot acquire subsequent communication content, so that long-term monitoring or violent cracking attacks are effectively resisted. In addition, the dynamic key mechanism enhances the unpredictability of the system and is particularly suitable for resisting potential threats of novel attack means such as quantum computation and the like. On the action level, the strategy can flexibly adjust rotation parameters according to service scenes (such as a high-frequency transaction system adopts a short period, a low-frequency scene adopts a long period), and balance safety and performance cost. For example, financial transaction systems may secure funds through high frequency rotation, while internet of things devices may extend the period appropriately to reduce resource consumption. The method has the advantages of reducing operation risks caused by manual intervention through automatic key generation, distribution and destruction processes, improving confidentiality and integrity of data transmission, ensuring that sensitive information is always protected by the latest key in a life cycle, enhancing overall safety toughness of the system, and providing reliable encryption guarantee for high-safety demand scenes such as government affairs, finance and the like. By the cooperative application of the key rotation strategy and the national encryption algorithm, the encryption tool realizes the dynamic and intelligent key management.

In operation S520, when the trigger condition is satisfied, the system page terminal regenerates a new first encryption algorithm key and transmits a key update instruction to the state secret confusion encryption tool through the first encryption channel.

In the embodiment of the application, in the key rotation mechanism, when the system detects that a preset trigger condition (such as expiration of a time period or reaching of a threshold value of data transmission amount) is met, the system page end automatically starts a key updating process. First, the system calls a cryptographically secure random number generator, generates a new key (e.g., a 128-bit SM4 symmetric key) that meets the national cryptographic standard, and ensures its randomness and uniqueness by hash checking, preventing the key from being predicted or multiplexed. The system page side then encapsulates the new key and update instructions as encrypted messages, and securely transmits to the state-secret obfuscation encryption tool using the established first encryption channel (HTTPS protocol based and dual protection with SM2 asymmetric encryption or SM4 symmetric encryption superimposed). The channel ensures that the key updating instruction is not stolen, tampered or forged in the transmission process through identity authentication, data encryption and integrity verification. After receiving the instruction, the national encryption tool verifies the source of the message and the integrity of the content, replaces the old key after confirming the error, and synchronously feeds back the updating result to the system page end. After the two parties confirm that the key update is successful, the old key is safely destroyed (such as by a memory overlay or key erasure technique) so as to avoid the residual risk. The automatic secret key updating process reduces manual intervention and reduces the risk of misoperation.

In operation S530, the cryptographic tool updates the corresponding key string in the local key string database, and synchronously updates the key information stored in the server.

In the embodiment of the application, in the key rotation process of the state-secret confusion encryption tool, the tool can update the local key string database immediately after receiving the new key, mark the old key as invalid and insert the new key entry, and update the key version number or the timestamp to identify the key state, thereby ensuring the accuracy and traceability of local key management. Then, the tool synchronizes the new key information (including key ID, value, validation time, etc.) to the server through the secure channel (such as TLS encryption), and after the server verifies, updates the stored key record, and notifies the associated device or service to achieve global consistency of the key information. The mechanism can effectively avoid communication failure caused by inconsistent key versions, and simultaneously keeps a historical key record to support key rollback under abnormal conditions. By automatic synchronization, the system not only improves the encryption communication reliability in a distributed environment, but also enhances the auditability of key management.

Referring back to fig. 2 and 3, in operation S230, the first encrypted data is decrypted in a security isolation environment inside the secret confusion encryption tool based on the key string and the type of the secret algorithm, and the decrypted data is re-encrypted by the secret algorithm, to obtain re-encrypted data.

In the embodiment of the application, firstly, a safe isolation environment is built in a state secret confusion encryption tool, an external attack surface is blocked through physical/logical isolation, a key string, algorithm logic and data operation are ensured to be executed in a safe domain, side channel attack or memory theft is prevented, secondly, a decryption and re-encryption process (decryption stage) is completed in the isolation environment, the queried key string (such as SM4 symmetric key) is safely injected, a decryption engine is initialized according to a state secret algorithm type (such as SM 4-password block link mode), a bottom state secret library (such as a state secret secure socket layer protocol) is called to decrypt first encrypted data (including ciphertext and Initialization Vector (IV)) to restore original plaintext data, a new state secret algorithm (such as SM 4-Galois/counter mode) and a key (possibly the same key or a dynamically generated new key) are dynamically selected according to service requirements or security policies, encryption operation is performed on the new plaintext data, re-encrypted data including ciphertext, authentication tag information and the like is generated, and the encryption result is ensured to be only destroyed in the environment through the safe channel isolation. According to the method, on one hand, through double guarantee of safety isolation and a national encryption algorithm (such as authentication encryption characteristics of SM 4-Galois/counter mode), data tampering and leakage wind are effectively resisted, and on the other hand, algorithm dynamic switching and key flexible management are supported, scene requirements of cross-border data transmission (such as re-encryption according to a target national compliance algorithm), sensitive data hierarchical protection and the like are met, dependence on foreign encryption technology is reduced, and supply chain safety is improved. By the method, the balance of compliance and business flexibility can be realized while the safety of the whole life cycle of the data is ensured, and reliable protection is provided for key information infrastructure.

In an embodiment of the present application, the security isolation environment is a Hardware Security Module (HSM) or Trusted Execution Environment (TEE) for preventing key strings and sensitive data from being compromised or tampered with during decryption and re-encryption. The HSM is used as independent encryption equipment, relies on tamper-proof hardware and a special encryption chip to realize closed management of key generation, storage, use and destruction, ensures that key materials are never exposed to an external system in a plaintext form, resists side channel stealing through physical attack resistance design, and the TEE divides independent security domains in a general computing platform through hardware-level isolation, limits decryption and re-encryption operation to an encrypted memory space, is completely isolated from an external operating system, supports dynamic integrity verification and remote proof functions, and prevents malicious software from tampering or environment counterfeiting. The two can cooperate to effectively block risks such as key leakage (such as memory scanning and debugging interface attack), data tampering (such as man-in-the-middle hijacking plaintext) and replay attack (such as intercepting ciphertext for reuse), and typical application scenarios include encryption processing of a bank card PIN code by an HSM in financial payment, isolation decryption of a sensitive document by a TEE in a government cloud environment, and integrity verification of a firmware upgrade package by Internet of things equipment in the TEE, so that a high-safety data protection scheme which takes cost and performance into consideration is provided for enterprises while national sealing rule requirements are met.

In an embodiment of the present application, the type of cryptographic algorithm includes one or more combinations of a cryptographic number 1 algorithm (SM 1), elliptic curve public key cryptographic algorithm (SM 2), cryptographic hash algorithm (SM 3), and block cryptographic algorithm (SM 4). The algorithms can be flexibly configured according to the service safety requirements to form a multi-level protection system. The SM1 is used as a symmetric block encryption algorithm and widely applied to high security scenes such as financial IC cards, the SM2 provides digital signature, key exchange and public key encryption functions based on Elliptic Curve Cryptography (ECC), the SM3 is a password hash algorithm and outputs 256-bit abstract values, the method is suitable for data integrity verification and digital signature generation, and the SM4 is used as a symmetric block encryption algorithm and supports 128-bit keys and block lengths, and is suitable for encryption transmission of a large amount of data. In the re-encryption process, an encryption mode and a filling mode corresponding to the type of a national encryption algorithm are adopted, for example, SM4 can be combined with CBC (cipher block chaining) or GCM (Galois/counter) mode, the former is required to be filled with PKCS#7 to adapt to the packet length, the latter is required to ensure confidentiality and integrity through an Authentication Encryption (AEAD) mechanism, SM2 adopts an ECIES (elliptic curve integrated encryption scheme) framework by default when public key encryption is adopted, mixed encryption is realized by combining a Key Derivation Function (KDF) with a symmetric encryption algorithm (such as SM 4), and SM3 is directly embedded into a digital signature flow as a hash function (such as SM2 signature is required to calculate SM3 digest of information first). By dynamic combination of algorithms and modes, the system can customize the optimal security policy for different scenarios (e.g., data storage encryption, network communication encryption, authentication, etc.).

In operation S240, the re-encrypted data is transmitted to the server through the second encryption channel, and the second encryption channel uses the cryptographic algorithm and performs encryption using the hardware cryptographic engine.

In the embodiment of the application, the hardware cipher machine of the second encryption channel supports the acceleration operation of the cryptographic algorithm, and the data interaction is carried out between the hardware cipher machine and the cryptographic tool through a special interface so as to ensure the high efficiency and the safety of the encryption process.

In the embodiment of the application, in order to ensure the absolute security of the re-encrypted sensitive data in the transmission process, the system completes the data transmission through a special second encryption channel, wherein the channel strictly follows the national encryption algorithm standard and adopts a hardware crypto engine as a core encryption engine. The system firstly carries out secondary encryption (i.e. re-encryption) on the original ciphertext to generate an encrypted data packet conforming to the national cryptographic specification before the data leaves the local security domain, then the data packet is transmitted to the server through a second pre-configured encryption channel, and the channel adopts an SM4-GCM packet encryption mode or an SM2-SM3 mixed encryption frame (dynamically selected according to service requirements) to ensure the confidentiality, the integrity and the replay attack resistance of the data. The encryption operation of the second encryption channel is performed by a hardware cipher machine (such as a national cipher HSM or PCI-E encryption card) deployed at the boundary of the network, the device realizes the whole life cycle management of the key (the key generation, the storage, the use and the destruction are all completed in a hardware isolation environment) based on a special encryption chip, and the device resists side channel attack through a physical tamper-proof design (such as an epoxy resin package and an active destruction circuit). In addition, the hardware cipher machine is deeply integrated with a transmission layer protocol (such as a custom national cipher TLS 1.2 protocol stack), and bidirectional identity authentication, key negotiation and parameter verification are automatically completed when the encryption channel is established, so that the channel is ensured to be not counterfeitable and only authorized to be accessed.

After the server receives the re-encrypted data, the method can further comprise decrypting the re-encrypted data by using a corresponding national encryption algorithm and key strings through a hardware crypto machine, and verifying the integrity and source legitimacy of the decrypted data. Specifically, the hardware crypto-engine firstly extracts a pre-injected national secret key string (such as an SM4 symmetric key or an SM2 private key) from an internal secure storage medium (such as a tamper-resistant encryption chip or an HSM key bank), and automatically matches a corresponding national secret algorithm (such as SM4-CBC mode decryption or SM2 asymmetric decryption) according to an algorithm identifier of a ciphertext header. In the decryption process, the hardware cipher machine executes core operation through the special encryption coprocessor, so that the key material is ensured to be always resident in a hardware isolation environment in an encryption mode, and the key leakage risk caused by the exposure of a host memory scanning or debugging interface is avoided. After decryption is completed, the system immediately performs integrity verification and source validity verification on the plaintext data. The integrity verification comprises the steps of recalculating a hash value of plaintext data through a hardware cipher machine and comparing the hash value with an original value by utilizing a national password hash value (such as SM3 digest) or a Message Authentication Code (MAC) (such as GMAC (media access control) built in SM4-GCM mode) associated with ciphertext to ensure that the data is not tampered, wherein the source validity verification comprises the steps of verifying signature validity through an SM2 public key built in the hardware cipher machine if the ciphertext adopts digital signature protection (such as SM2 signature), analyzing and confirming signer identity (such as a national password digital certificate issued by CA) by combining a certificate chain, and verifying whether a derivative process of a session key accords with a national password standard (such as a key derivative rule defined in GB/T38636) if the ciphertext is generated through key negotiation (such as SM2 key exchange protocol). In addition, the hardware cipher machine generates an audit log in real time in the decryption and verification process, records the operation time, the key identification, the algorithm type and the verification result, and performs digital signature on the log through the national cipher SM9 identification cipher technology to ensure traceability after the fact. If any verification link fails (e.g., the hash value does not match or the signature is invalid), the system will immediately trigger a secure response mechanism, including discarding the plaintext data, blocking subsequent transmissions, and reporting a security event. Through the mechanism, the system can effectively resist ciphertext tampering attack, counterfeit data injection and key abuse risks.

In the embodiment of the application, in order to further improve the active defense capability of the state secret confusion encryption tool in a complex network environment, the state secret confusion encryption tool can further comprise an anomaly detection module, wherein the anomaly detection module is used for monitoring the anomaly behavior in the data transmission process in real time, constructing a dynamic threat perception and emergency response mechanism, and immediately interrupting the current communication and triggering an alarm mechanism when the anomaly behavior is detected, wherein the anomaly behavior comprises data transmission amount sudden increase, decryption failure times exceeding a threshold value and illegal key attempt times exceeding the threshold value. Specifically, the module adopts a multidimensional anomaly detection algorithm to construct a dynamic monitoring system aiming at three types of anomaly behaviors. For sudden increase of data transmission quantity, based on sliding window algorithm, counting data packet flow in unit time, combining historical flow base line (such as last 7 days mean) with standard deviation to dynamically calculate threshold, if current flow exceeds 3 times standard deviation (or dynamically adjusted parameter according to service scene) of base line value, judging abnormal flow flood peak. Such anomalies may result from data theft attempts (e.g., an attacker stealing an encrypted file through a mass transfer), and the system will trigger an emergency response immediately. And for the overrun of the decryption failure times, counting the decryption failure events of the cryptographic algorithm (such as SM4 symmetric encryption and SM2 asymmetric encryption) in real time by analyzing the log of the hardware cryptographic engine or the software cryptographic engine. If decryption failure occurs 5 times continuously (or a custom threshold value), and error types are concentrated on anomalies such as 'key mismatch', 'MAC verification failure', and the like, judging that the key is leaked or the risk of man-in-the-middle attack is high. For example, an attacker may try to decrypt data by forging a certificate or stealing a key, and the system will block the threat by an alarm and key rotation mechanism. And for the out-of-limit times of illegal key attempts, monitoring the invalid key input times in unit time aiming at key negotiation and authentication links (such as SM2 key exchange and SM9 identification passwords). If the random counterfeit key, the expired certificate or the signature verification fails, which exceeds 10 times (or a dynamic threshold value), the violent cracking or dictionary attack actions are judged. Such attacks are often used to steal session keys or impersonate legitimate devices, and the system will block the source of the attack by temporarily freezing the key and firewall rule updates.

When the anomaly detection module captures any anomaly, the system executes triple emergency response, wherein the triple emergency response comprises communication interruption, forced closing of current connection through a bottom network drive, emptying of a session state table, preventing an attacker from continuing penetration by using an established communication channel, alarm triggering, generation of a structured security event, pushing of the structured security event to a Security Operation Center (SOC) through an encryption channel of a national security SM4-GCM, ensuring that alarm information is not tampered in the transmission process, and self-healing mechanism, wherein temporary freezing (such as prohibiting reuse within 30 minutes) of a key or session suspected to be attacked is implemented, key rotation flow (such as lifting of SM2 certificates and re-issuing) is triggered, and meanwhile firewall rule updating is performed to block subsequent access of the suspicious IP.

In addition, the anomaly detection module adopts a self-adaptive learning technology, dynamically optimizes threshold parameters through a machine learning algorithm, and avoids false positives (such as normal service peaks) and false negatives (such as low-frequency but continuous attacks). For example, in a government external network scenario, the system can automatically adjust the baseline threshold value in combination with a historical flow mode (such as a document transmission peak of 9:00-11:00 a day), and in a financial payment scenario, the small high-frequency fraud attempt is accurately identified by associating the transaction amount with the decryption failure rate. Through the mechanism, the national cipher confusion encryption tool can effectively block threats such as key disclosure, man-in-the-middle attack, violent cracking and the like.

Based on the confusion encryption method, the application also provides a confusion encryption device. The device will be described in detail below in connection with fig. 6.

Fig. 6 schematically shows a block diagram of a confusion encryption apparatus according to an embodiment of the present application.

As shown in fig. 6, the obfuscated encryption device 800 of this embodiment includes a first transmission module 810, a security verification module 820, a re-encryption module 830, and a second transmission module 840.

The first transmission module 810 is configured to establish a first encryption channel between the system page end and the state confusion encryption tool, and transmit the data processed by the first encryption algorithm through the first encryption channel based on the hypertext transfer security protocol, and in an embodiment, the first transmission module 810 may be configured to perform the operation S210 described above, which is not described herein again.

The security verification module 820 is configured to receive the data processed by the first encryption algorithm by using the cryptographic confusion encryption tool and perform security verification to obtain a key string corresponding to the first encryption data and a cryptographic algorithm type, where a key in the key string can be updated in a rotation, and in an embodiment, the security verification module 820 may be configured to perform the operation S220 described above, which is not described herein again.

The re-encryption module 830 is configured to decrypt the first encrypted data and re-encrypt the decrypted data by using a cryptographic algorithm in a security isolation environment inside the cryptographic tool based on the key string and the cryptographic algorithm type, and in an embodiment, the re-encryption module 830 may be configured to execute the operation S230 described above, which is not described herein.

The second transmission module 840 is configured to transmit the re-encrypted data to the server through a second encryption channel, where the second encryption channel uses a cryptographic algorithm and uses a hardware cryptographic engine to perform encryption, and in an embodiment, the second transmission module 840 may be configured to perform the operation S240 described above, which is not described herein.

Any of the first transmission module 810, the security verification module 820, the re-encryption module 830, and the second transmission module 840 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules according to an embodiment of the present application. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the application, at least one of the first transmission module 810, the security verification module 820, the re-encryption module 830 and the second transmission module 840 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or as hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or as any one of or a suitable combination of three of software, hardware and firmware. Or at least one of the first transmission module 810, the security verification module 820, the re-encryption module 830 and the second transmission module 840 may be at least partially implemented as a computer program module, which may perform corresponding functions when being run.

As shown in fig. 7, an electronic device 900 according to an embodiment of the present application includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the application.

In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to an embodiment of the present application by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present application by executing programs stored in one or more memories.

According to an embodiment of the application, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of an input portion 906 including a keyboard, a mouse, etc., an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc., a storage portion 908 including a hard disk, etc., and a communication portion 909 including a network interface card such as a LAN card, a modem, etc., connected to an input/output (I/O) interface 905. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to an input/output (I/O) interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.

The present application also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present application.

According to embodiments of the application, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the application, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.

Embodiments of the present application also include a computer program product comprising a computer program containing program code for performing the method shown in the flowcharts. The program code means for causing a computer system to carry out the obfuscated encryption method provided by the embodiments of the present application when the computer program product is run on the computer system.

The above-described functions defined in the system/apparatus of the embodiment of the present application are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the application.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may comprise program code that is transmitted using any appropriate network medium, including but not limited to wireless, wireline, etc., or any suitable combination of the preceding.

In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiment of the present application are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the application.

According to embodiments of the present application, program code for carrying out computer programs provided by embodiments of the present application may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or in assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the application can be combined and/or combined in a variety of ways, even if such combinations or combinations are not explicitly recited in the present application. In particular, the features recited in the various embodiments of the application can be combined and/or combined in various ways without departing from the spirit and teachings of the application. All such combinations and/or combinations fall within the scope of the application.

Claims

1. A method of obfuscating encryption, the method comprising:

Establishing a first encryption channel between a system page end and a state encryption confusion encryption tool, and transmitting data processed by a first encryption algorithm through the first encryption channel based on a hypertext transfer security protocol;

Receiving the data processed by the first encryption algorithm by using a national encryption confusion encryption tool and executing security verification to acquire a key string and a national encryption algorithm type corresponding to the first encryption data;

Decrypting the first encrypted data in a security isolation environment inside a cryptographic tool based on the key string and the cryptographic algorithm type, and re-encrypting the decrypted data by using a cryptographic algorithm to obtain re-encrypted data, and

Transmitting the re-encrypted data to a server through a second encryption channel, wherein the second encryption channel uses a cryptographic algorithm and adopts a hardware crypto-machine to execute encryption;

Wherein keys in the key string can be updated in rotation.

2. The method of claim 1, wherein the encryption algorithm of the first encryption channel is dynamically selected by a user according to requirements, and

The key of the first encryption algorithm is dynamically generated by the system page end and is only used in the communication.

3. The method of claim 1, wherein the method of performing security verification comprises:

Extracting a user identifier from user basic information in response to receiving the first encrypted data, wherein the first encrypted data is associated with the user basic information;

obtaining an organization unique identifier associated with the user identifier from a remote dictionary service;

Querying a key string database for a corresponding key string and cryptographic algorithm type based on the organization unique identifier, and

And verifying that the key string and the national encryption algorithm type are matched with a preset security policy.

4. The method of claim 1, wherein the secure isolation environment is a hardware security module or trusted execution environment for preventing the key string and data from being compromised or tampered with during decryption and re-encryption.

5. The method of claim 1, wherein the type of cryptographic algorithm comprises one or more combinations of a cryptographic number 1 algorithm, an elliptic curve public key cryptographic algorithm, a cryptographic hash algorithm, and a block cipher algorithm, and

The re-encryption process adopts an encryption mode and a filling mode corresponding to the type of the national encryption algorithm.

6. The method of claim 1, wherein the hardware crypto-engine of the second encryption channel supports accelerated operations of a cryptographic algorithm, and wherein data interaction between the hardware crypto-engine and a cryptographic confusion encryption tool is performed via a dedicated interface.

7. The method according to claim 1, wherein the method further comprises:

After the server receives the re-encrypted data, the server decrypts the re-encrypted data by using a corresponding national encryption algorithm and key strings through a hardware cipher machine, and verifies the integrity and source legitimacy of the decrypted data.

8. The method of claim 1, wherein the method of updating the key comprises:

setting a key rotation strategy in the state secret confusion encryption tool, wherein the key rotation strategy triggers key update based on a time period or data transmission quantity;

When the triggering condition is met, the system page end regenerates a new first encryption algorithm key, and transmits a key updating instruction to the state secret confusion encryption tool through the first encryption channel;

the said cipher key is mixed with the encryption tool and updated the correspondent key string in the local key string database, and the key information stored in the synchronous updating server.

9. The method of claim 1, wherein the cyber-obfuscation encryption tool includes an anomaly detection module, wherein the anomaly detection module is configured to monitor anomalies in the data transmission process in real time, and upon detection of the anomalies, the cyber-obfuscation encryption tool immediately interrupts current communications and triggers an alert mechanism,

The abnormal behavior comprises sudden increase of data transmission quantity, exceeding of decryption failure times by a threshold value and exceeding of illegal key try times by the threshold value.

10. A confusion encryption apparatus, the apparatus comprising:

The first transmission module is used for establishing a first encryption channel between a system page end and the national encryption confusion encryption tool and transmitting data processed by a first encryption algorithm through the first encryption channel based on a hypertext transfer security protocol;

The security verification module is used for receiving the data processed by the first encryption algorithm by using a national encryption confusion encryption tool and executing security verification so as to acquire a key string corresponding to the first encryption data and a national encryption algorithm type;

the re-encryption module is used for decrypting the first encrypted data in a safe isolation environment inside a state-secret confusion encryption tool based on the key string and the state-secret algorithm type, re-encrypting the decrypted data by using a state-secret algorithm to obtain re-encrypted data, and

The second transmission module is used for transmitting the re-encrypted data to the server through a second encryption channel, and the second encryption channel uses a cryptographic algorithm and adopts a hardware cryptographic machine to execute encryption;

Wherein keys in the key string can be updated in rotation.

11. An electronic device, comprising:

one or more processors;

A memory for storing one or more computer programs,

Characterized in that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1-9.

12. A computer-readable storage medium, on which a computer program or instructions is stored, which, when executed by a processor, carries out the steps of the method according to any one of claims 1 to 9.

13. A computer program product comprising a computer program or instructions which, when executed by a processor, implement the steps of the method according to any one of claims 1 to 9.